On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy <
[email protected]> wrote:
> Hi Steve,
>
> On 12/02/17 15:27, Steve Medin wrote:
> Thank you for this timely response. Mozilla continues to expect answers
> to all reasonable and polite questions posed in our forum, and is happy
> that Symantec is taking this approach.
Indeed Steve, thank you for your continued attention as we try to gain the
information and understanding necessary to determine how best to protect
users from misissued certificates.
I note that Symantec's answer to question 1 in [1] reiterates that, in
Symantec's view, the set of misissuance previously was solely related to a
specific internal tool, and as such, the remediation steps Symantec engaged
in focused on the process and controls related to that tool.
I highlight this because it seems difficult to understand the distinction
between the previous event and this current event, and understanding that
distinction seems relevant to understanding whether the steps Symantec took
previously were reasonable and complete to address this set of issues and
the community trust, as well as understanding the steps Symantec is
proposing or has taken in response to this current set of issues.
In the previous misissuance event, my understanding is that Symantec
asserts that the whole totality of the misissuance was related to a single,
specific tool. Symantec's initial response [2] was to assert that the issue
was limited to rogue actions of a few individuals contrary to Symantec's
policies and procedures. The proposed remediation of this was a termination
of relationship with those specific individuals. However, it was pointed
out by browsers based on a simple cursory examination that such a statement
was not consistent with the data - that the full set of issues were not
identified by Symantec in their initial investigation, and only upon
prompting by Browsers with a specific deadline did Symantec later recognize
the scope of the issues. In recognizing the scope, it was clear that the
issues did not simply relate to the use of a particular tool, but also to
the practices of employees with respect to asserting that things were
correct when they were not. A specific example is that the role of
Validation Specialist - which is tasked with independently reviewing the
certificate request for non-compliance - was designed in such a way that it
could be bypassed or overridden without following the appropriate policies.
These were actions independent of any particular tooling.
These issues were then amplified by the fact that Symantec was failing to
ensure that its policies and practices adhered to the appropriate version
of the Baseline Requirements, and that employees and staff were trained on
the appropriateness of ensuring the appropriate policies were followed,
regardless of the tools being employed.
In response to this issue, Symantec took a series of corrective steps, such
as:
- A comprehensive review of its Policies and Practices to ensure compliance
with the Baseline Requirements, as requested in [3] (and available at [4])
- The establishment of a centralized Compliance team to ensure compliance
across Symantec branded-CAs
- Internal training, which on the basis of [1] appears to have been limited
to a specific tool, rather than to the overall auditable criteria or
policies
In the current misissuance, my understanding is that Symantec asserts that
the totality of the misissuance was related to RAs. Symantec's initial
response to the set of questions posed by Google [5] indicated that " At
this time we do not have evidence that warrants suspension of privileges
granted to any other RA besides CrossCert" in the same message that
provided the CP/CPS for other RAs besides CrossCert, and itself a follow-up
to Symantec's initial response to the Mozilla community, [6], which
acknowledged for the potential of audit issues in the statement "We are
reviewing E&Y’s audit work, including E&Y’s detailed approach to
ascertaining how CrossCert met the required control objectives.". This
appears to be similar to the previous event, in that the proposed
remediation was first a termination of relationship with specific
individuals. However, in Symantec's most recently reply, [1], it seems that
again, on the basis of browser questions from a simple cursory examination
that such a statement was not consistent with the data - that is, that the
full set of issues were not identified by Symantec in their initial
investigation, and only upon prompting by Browsers with a specific deadline
did Symantec later recognize the scope of the issues. In recognizing the
scope, it was clear that the issues did not simply relate to the use of a
particular RA or auditor, but also to the practices of RAs with respect to
asserting things were correct when they were not.
It appears that, similar to the Testing Tool's failure to ensure that
certificates were adhering to the fulsome standards of authentication,
Symantec's newly established compliance team was failing to perform even a
cursory review of the CP, CPS, and audit statements presented - despite
Symantec having found it necessary in that introspective process themselves
in response to [3], as noted above.
Symantec's also stated that, in response to the past misissuance, it
deployed a compliance assessment tool, which functionally serves a role
similar to a Validation Specialist. However, such compliance assessment was
designed in a way that it could be bypassed or overridden without following
appropriate policies.
Further, as acknowledged in [1], even when Symantec noted that at least one
of their RAs had identified specific deficiencies in practice and issuance,
Symantec determined it was not appropriate to notify Root Stores or Mozilla
of a "problem report". In response to the issues identified in Question 8
of [1], Symantec noted that one of their RAs was deficient in response to
its "policies and business practices change in regards to verification
procedures for issuing certificates", and allowed 90 days for the RA to
remediate this. However, it does not appear Symantec took any corrective
action for the period under audit - a year long period - to review any
issued certificates during the period of deficiency. I highlight this
because Mozilla's Policy [7], Item 5, requires such notification to
[email protected], but Symantec acknowledges in Question 9 of [1]
that it failed to do so.
Symantec's proposed remediation for these issues appears to be limited to:
- Suspend the use of RAs for independent validation of domain control and
organizational information
With this background in mind, and the comparisons highlighted, I do hope
Symantec can consider the following questions:
1) Given that the Baseline Requirements require that Symantec accept full
liability and responsibility for all actions by Delegated Third Parties,
can Symantec please provide what were the specific steps and process
Symantec's Compliance Team took in reviewing Registration Authorities prior
to the detection of this misissuance? Specific example questions include:
a) Did Symantec's compliance team independently assess the WebTrust
licensing status of each received audit?
b) Did Symantec's compliance team review the CP and/or CPS of each
Delegated Third Party to independently assert compliance with the STN
CP/CPS?
2) Given that Symantec has noted that RAs bore the capability to override
the results of the compliance tool, can Symantec please provide details
about every certificate Symantec has issued which has had the compliance
check overridden?
3) Symantec noted in [5] that "Each certificate request is screened for BR
compliance failure. Failures are flagged, preventing RA issuance until the
flag is cleared." Can Symantec please confirm that "RA issuance" refers to
the act of Symantec signing a TBSCertificate and producing a signed
certificate, as opposed to any other interpretation, such as Symantec
signed the certificate, but did not provide it to the RA until the flag was
cleared?
4) Was the problematic audit, highlighted in Questions 10 and 11 of [1],
CertSuperior's first audit as a Symantec RA? Stated differently, did
Symantec engage in any business relationship with CertSuperior prior to the
production of [8]?
5) Symantec's initial response to Mozilla, in [6], indicated that Symantec
will be conducting "a review of our delegated RA controls and why we did
not detect this problematic behavior before it was reported to us". What is
the timeline for when this review will be completed and published?
6) Please provide the specific dates that Symantec engaged in a Delegated
Third Party relationship with each of the RAs, so that the community can
independently evaluate the 'scope of the issues' with respect to what
certificates may be affected by the issues Symantec has disclosed.
7) Are there any elements in the above comparison between the past and
present misissuance that Symantec believes are factually incorrect or
unsubstantiated that Symantec would like to address or correct?
More broadly, a set of questions exist for the community to be considering
in evaluating Symantec's present and past responses, such as:
- Whether the community believes Symantec adhered to the appropriate duty
of care to review the CP, CPS, and audit reports produced for RAs, given
Symantec's own experiences through participation in the Mozilla Community
reviewing CP, CPSes, and audit reports of Symantec and other CA
participants, the Mozilla policies related to disclosure of sub-CA's CP,
CPS, and audit reports, and through Symantec's participation in the
CA/Browser Forum, in which audit and audit issues has been a long-standing
topic of discussion.
- Whether the community believes Symantec's compliance team, which failed
to detect these issues that were prominent and easily discovered, has
demonstrated itself as an appropriate compensating control for either the
past or present issues
- Whether the community believes Symantec's statements regarding the scope
of the issues - and the continued expansion of that scope - fully represent
and contain the set of misissued certificates and the set of compliance
issues
- Whether the choice of Symantec to discontinue the use of RAs represents a
sufficient mitigation for the past, existing and issued certificates
- Whether the choice of Symantec to discontinue the use of RAs represents a
sufficient and suitable mitigation for the possibility of future compliance
issues that may be discovered or arise
- What steps Symantec should take to reassure the Mozilla community of its
ability to abide by the letter and the spirit of the Mozilla CA Certificate
Policy if continuing to participate in the Mozilla CA Certificate program
- What steps Mozilla should take regarding Symantec to reassure the Mozilla
community of the appropriateness of continued trust in Symantec issued
certificates, given the past and present issues
[1]
https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487
[2]
http://archive.is/Ro70U
[3]
https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
[4]
https://www.symantec.com/page.jsp?id=test-certs-update#
[5]
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933
[6]
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038
[7]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#inclusion
[8]
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930